Hackers have exploited a weakness in the popular open-source Windows based code editor Notepad++ to deliver highly targeted malicious code to exploited computers. For most Notepad++ users, you don’t have much to worry about but it is vital you update to Notepad++ 8.9.1 or newer, which fixes part of the security that was exploited. It is important to note that Notepad++ is bundled with the excellent C gamedev framework Raylib.
Details from the Notepad++ announcement:
According to the analysis provided by the security experts, the attack involved infrastructure-level compromise that allowed malicious actors to intercept and redirect update traffic destined for notepad-plus-plus.org. The exact technical mechanism remains under investigation, though the compromise occured at the hosting provider level rather than through vulnerabilities in Notepad++ code itself. Traffic from certain targeted users was selectively redirected to attacker-controlled served malicious update manifests.
The incident began from June 2025. Multiple independaent security researchers have assessed that the threat acotor is likely a Chinese state-sponsored group, which would explain the highly selective targeting obseved during the campaign.
TL;DR
According to the former hosting provider, the shared hosting server was compromised until September 2, 2025. Even after losing server access, attackers maintained credentials to internal services until December 2, 2025, which allowed them to continue redirecting Notepad++ update traffic to malicious servers. The attackers specifically targeted Notepad++ domain with the goal of exploiting insufficient update verification controls that existed in older versions of Notepad++. All remediation and security hardening were completed by the provider by December 2, 2025, successfully blocking further attacker activity.
The reason most people need not be too concerned (other than of course immediately updating to remove the exploit vector!) is the nature of the attack, as described by Help Net Security:
This state of affairs has been exploited by the attackers, who managed to intercept the network traffic between the updater client and the Notepad++ update infrastructure, to deliver and execute a malicious update instead of a benign one.
“Because traffic to notepad-plus-plus.org is fairly rare, it may be possible to sit inside the ISP chain and redirect to a different download,” Beaumont noted in December. “To do this at any kind of scale requires a lot of resources.”
Beaumont shared that the targeted organizations were telecommunications and financial services organizations in East Asia, and attributed the attacks to Chinese nation-state threat actors Zirconium, aka Violet Typhoon.
The supply chain compromise apparently happened in June 2025 and, according to the software’s hosting provider, the shared hosting server remained compromised until September 2, 2025, when the attackers lost access to it after its kernel and firmware were updated.
Key Links
Top Code Editors & IDEs in 2025 Guide
You can learn more about the Notepad++ hack/exploit in the video below.